Web based Authentication systems and more...e x p a n d e d
by Electrik Monk
(electrikmonk@mailexcite.com)
In 2600 Magazine vol. 14, no. 2, browser (HTTP) based authentication systems and their implementations on HTTP servers were explained. Hopefully, this document will go a bit further into the real world applications and examples of certain non forceful exploitations, for the purpose of educating sysadmin's in their pursuit of digital stardom. Okay, enough of the eloquent stuff, let's get to the facts.
Many servers have authentication systems and so called "administrator" areas where the admin (hopefully) can easily enter their password and gain full access to such things as logs, delete privs, and other admin duties, etc. These systems are largely unchecked and unknown to the majority of users and potential accessors. Such systems are built in to database programs, are custom designed, or are commercially available as part of a webserver suite, such as Micro$oft's NT server 4.0 (specifically the IIS server suite), M$'s Personal Web Server, and Apple Computer's own PWS variant. Others exist, of course, for Unix flavors, and other OSes.
What am I getting at? Many sysadmin's assume that these admin areas will be hidden from users, and thus, safe from the outside world. These perceptions are dangerous. These admin areas can be picked up by search engine bots, such as HotBot, and cataloged for all the world to see. Such was the case of a major Macintosh shareware archive site, and lo and behold, the entire admin system, including site passwords and deleting and site maintence features were availible, under a /admin directory, availible to anyone who could guess the URL, or look in the parent directory, which was also publicly availible. No IP filter was in place (though having one does not guaruntee privacy), and the [site] was immediately contacted and told of the problem. The webmaster fixed the problem within a month, and has since restructured their site layout to benefit from enhanced security. Other examples could be noted in Windows NT in which, theoretically, administrative passwords could be obtained if the server in question was running WinNT Server 4.0, and M$ IIS 3.0 server software, as documented by weld (weld@l0pht.com) in a L0phT advisory last year. WinNT server with IIS has an admin area in which the admin can login, which uses “Active Server Pages” (.asp) files. If a user were to replace the "." with "%2e" (no quotes) for that file, it is possible that the authentication system or the administrative functions page could be accessed, or admin password revealed with normal access privs. (No superuser access necessary). Other programs, such as Apple's PWS variant uses the built in MacOS Users&Groups file to authenticate who can obtain access to certain areas. Again, under certain conditions, at odd hours in the night ;) , access could be obtained.
Most of the above examples may not work for you because of the various advisory releases that have prompted Micro$oft to put out a patch for the .asp loophole (and yes, they probably have their own servers patched, wise guy), and others to fix their mistakes. In writing this article I hope to educate those other sysadmins out there who should take better precautions against easy hacks and cracks into their admin functions. Let it not be ignored that database programs have not even been covered, and with the release of the popular Claris File Maker Pro 4.0, which allows anyone with a net connection (dialup or otherwise) to set up a database searchable to anyone via an HTTP browser, well....the possibilities are endless. Let it be a reminder to those sysadmins not wishing their admin areas to be picked up by bots, there are likely as many loopholes in making the admin section a dynamic CGI. Last but not least, neither Java nor JavaScript are fault tolerant systems, and should not be taken for granted. What this says about many free web based email services is either promising or scary, depending on whose side you are on. Finally, most admins do keep logs (duh) and it will be very apparent what you are trying to accomplish when the logs are reviewed. Please use your head.
List of Abbreviations:
_______________________
PWS - Personal Web Server
M$ - Microsoft Inc.
IIS - the Internet Information Services (or some such acronym) server program (bundled with WinNT Server)
CGI - Common Gateway Interface
Notes:
_______________________
The Mac shareware site’s name has been left out for obvious reasons.
The WinNT ASP hack is detailed at <http://www.L0phT.com/> under “Advisories”.
Many thanks to the L0phT for their work, and to my lawyer.... ;-)
